Pin github/codeql-action action to df55935 - abandoned #162

renovate · 2025-07-06T00:18:42Z

This PR contains the following updates:

Package	Type	Update	Change
github/codeql-action	action	pinDigest	-> `df55935`

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

gitnotebooks · 2025-07-06T00:18:46Z

Review these changes at https://app.gitnotebooks.com/AlphaSphereDotAI/visualizr/pull/162

sourcery-ai · 2025-07-06T00:18:47Z

Reviewer's Guide

This PR updates the GitHub Actions workflow to pin the jlumbroso/free-disk-space action to a specific commit SHA, ensuring reproducible and secure CI runs.

File-Level Changes

Change	Details	Files
Pin jlumbroso/free-disk-space action to a specific commit digest	Replaced the action tag reference (@v1.3.1) with its full SHA digest in the workflow step	`.github/workflows/docker.yaml`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

coderabbitai · 2025-07-06T00:18:49Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Join our Discord community for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

Visit our Status Page to check the current availability of CodeRabbit.
Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

deepsource-io · 2025-07-06T00:19:13Z

Here's the code health analysis summary for commits be67c37..d745b66. View details on DeepSource ↗.

Analysis Summary

Analyzer	Status	Link
Python	✅ Success	View Check ↗
Docker	✅ Success	View Check ↗
Secrets	✅ Success	View Check ↗

💡 If you’re a repository administrator, you can configure the quality gates from the settings.

sonarqubecloud · 2025-07-06T00:19:26Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-actions · 2025-07-06T00:25:03Z

Qodana for Python

569 new problems were found

Inspection name	Severity	Problems
`Attempt to call a non-callable object`	🔶 Warning	63
`Unbound local variables`	🔶 Warning	19
`Invalid type hints definitions and usages`	🔶 Warning	4
`Incorrect call arguments`	🔶 Warning	3
`Incorrect type`	🔶 Warning	3
`Check third party software list`	🔶 Warning	1
`Line is longer than allowed by code style`	🔶 Warning	1
`Problematic whitespace`	🔶 Warning	1
`Missing or empty docstring`	◽️ Notice	303
`Incorrect docstring`	◽️ Notice	41
`PEP 8 naming convention violation`	◽️ Notice	26
`Incorrect formatting`	◽️ Notice	24
`An instance attribute is defined outside` init``	◽️ Notice	20
`Unused local symbols`	◽️ Notice	20
`Class has no` init `method`	◽️ Notice	10
`The function argument is equal to the default parameter value`	◽️ Notice	9
`Method is not declared static`	◽️ Notice	7
`Duplicated code fragment`	◽️ Notice	5
`Shadowing names from outer scopes`	◽️ Notice	4
`Inconsistent return statements`	◽️ Notice	2
`Accessing a protected member of a class or a module`	◽️ Notice	2
`Dictionary creation can be rewritten by dictionary literal`	◽️ Notice	1

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

Or via our issue tracker: https://jb.gg/qodana-issue
Or share your feedback: https://jb.gg/qodana-discussions

mergify · 2025-08-17T01:31:26Z

Hi @renovate[bot], Your PR is in conflict and cannot be merged.

mergify · 2025-08-17T01:33:41Z

🧪 CI Insights

Here's what we observed from your CI run for d745b66.

❌ Failed Jobs

Pipeline	Job	Retries	🔍 CI Insights	📄 Logs
`Test`	`Lint / Check`	`0`	View	View
	`Test Image / API Test`	`0`	View	View
	`Test Image / Build and push Docker image to ghcr.io`	`0`	View	View

MH0386 · 2025-08-17T13:54:42Z

Recommended fixes for image `ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162`

Base image is python:3.10-slim

Name	3.10.18-slim-bookworm
Digest	sha256:fd939bec23d8e9a1274d70e24db96bceed53e56612f828098f5505086a64f523
Vulnerabilities
Pushed	2 months ago
Size	47 MB
Packages	153
Flavor	debian
OS	12
Runtime	3.10.18
Slim	✅

The base image is also available under the supported tag(s): 3.10-slim-bookworm, 3.10.18-slim, 3.10.18-slim-bookworm

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

Tag	Details	Pushed	Vulnerabilities
`3.10-slim` Newer image for same tag Also known as: 3.10.18-slim 3.10-slim-trixie 3.10.18-slim-trixie	Benefits: Patch runtime version update Same OS detected Newer image for same tag Image is smaller by 2.1 MB Image contains 27 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 15 Tag is using slim variant 3.10-slim was pulled 162K times last month Image details: Size: 45 MB Runtime: 3.10.18	1 week ago

Change base image

Tag	Details	Pushed
`3.13-slim` Minor runtime version update Also known as: 3.13.7-slim 3-slim slim slim-trixie 3-slim-trixie 3.13-slim-trixie 3.13.7-slim-trixie	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.4 MB Image contains 29 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 18 Tag is using slim variant Image details: Size: 43 MB Runtime: 3.13.7	2 days ago
`3.12-slim` Minor runtime version update Also known as: 3.12.11-slim 3.12-slim-trixie 3.12.11-slim-trixie	Benefits: Same OS detected Minor runtime version update Image is smaller by 4.0 MB Image contains 29 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 18 Tag is using slim variant Image details: Size: 43 MB Runtime: 3.12.11	1 week ago
`3.11-slim` Minor runtime version update Also known as: 3.11.13-slim 3.11-slim-trixie 3.11.13-slim-trixie	Benefits: Same OS detected Minor runtime version update Image is smaller by 1.6 MB Image contains 27 fewer packages Tag was pushed more recently Image introduces no new vulnerability but removes 16 Tag is using slim variant 3.11-slim was pulled 39K times last month Image details: Size: 46 MB Runtime: 3.11.13	1 week ago
`alpine` Tag is preferred tag Also known as: alpine3.22 3.13.7-alpine 3.13.7-alpine3.22 3.13-alpine 3.13-alpine3.22 3-alpine 3-alpine3.22	Benefits: Minor runtime version update Image is smaller by 29 MB Image contains 114 fewer packages Tag is preferred tag Tag was pushed more recently Image introduces no new vulnerability but removes 40 alpine was pulled 41K times last month Image details: Size: 17 MB Flavor: alpine OS: 3.22 Runtime: 3.13.7	2 days ago

MH0386 · 2025-08-17T13:54:42Z


Your image	`ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162`
Current base image	`python:3.10-slim`
Refreshed base image	`python:3.10-slim`
Updated base image	`python:3.13-slim`

MH0386 · 2025-08-17T13:54:48Z

🔍 Vulnerabilities of `ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162`

📦 Image Reference ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162

digest	`sha256:5d37e1e1e9ef86259f36ce938c9646cf04390a54b3a13e51dc51280299e2ab32`
vulnerabilities
platform	linux/amd64
size	3.1 GB
packages	723

📦 Base Image python:3.10-slim

also known as	`3.10-slim-bookworm` `3.10.18-slim` `3.10.18-slim-bookworm` `ed3b05c18415934ed238971f17827c1fee94c7a9ec69669b43644af273eac0e2`
digest	`sha256:fd939bec23d8e9a1274d70e24db96bceed53e56612f828098f5505086a64f523`
vulnerabilities

torch 2.1.2+cu118 (pypi)

pkg:pypi/[email protected]%2Bcu118

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Affected range	`<2.5.0`
Fixed version	`2.5.0`
CVSS Score	`9.8`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
EPSS Score	`13.104%`
EPSS Percentile	`94th percentile`

Description

In PyTorch <=2.4.1, the RemoteModule has Deserialization RCE. NOTE: this is disputed by multiple parties because this is intended behavior in PyTorch distributed computing.

Deserialization of Untrusted Data

Affected range	`<=2.5.1`
Fixed version	`2.6.0`
CVSS Score	`9.3`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.334%`
EPSS Percentile	`56th percentile`

Description

Description

I found a Remote Command Execution (RCE) vulnerability in PyTorch. When loading model using torch.load with weights_only=True, it can still achieve RCE.

Background knowledge

https://github.com/pytorch/pytorch/security
As you can see, the PyTorch official documentation considers using torch.load() with weights_only=True to be safe.

Since everyone knows that weights_only=False is unsafe, so they will use the weights_only=True to mitigate the seucirty issue.
But now, I just proved that even if you use weights_only=True, it can still achieve RCE.

Credit

This vulnerability was found by Ji'an Zhou.

Heap-based Buffer Overflow

Affected range	`<2.2.0`
Fixed version	`2.2.0`
CVSS Score	`8.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.024%`
EPSS Percentile	`5th percentile`

Description

PyTorch before v2.2.0 was discovered to contain a heap buffer overflow vulnerability in the component /runtime/vararg_functions.cpp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.

Use After Free

Affected range	`<2.2.0`
Fixed version	`2.2.0`
CVSS Score	`7.8`
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
EPSS Score	`0.045%`
EPSS Percentile	`13th percentile`

Description

Pytorch before version v2.2.0 was discovered to contain a use-after-free vulnerability in torch/csrc/jit/mobile/interpreter.cpp.

Affected range	`<2.2.0`
Fixed version	`2.2.0`
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

Pytorch before v2.2.0 has an Out-of-bounds Read vulnerability via the component torch/csrc/jit/mobile/flatbuffer_loader.cpp.

Improper Resource Shutdown or Release

Affected range	`<=2.7.1`
Fixed version	Not Fixed
CVSS Score	`4.8`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N`
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

A vulnerability, which was classified as problematic, was found in PyTorch 2.6.0. Affected is the function torch.nn.functional.ctc_loss of the file aten/src/ATen/native/LossCTC.cpp. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 46fc5d8e360127361211cb237d5f9eef0223e567. It is recommended to apply a patch to fix this issue.

Improper Resource Shutdown or Release

Affected range	`<2.7.1-rc1`
Fixed version	`2.7.1-rc1`
CVSS Score	`1.9`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P`
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

A vulnerability, which was classified as problematic, has been found in PyTorch 2.6.0+cu124. Affected by this issue is the function torch.mkldnn_max_pool2d. The manipulation leads to denial of service. An attack has to be approached locally. The exploit has been disclosed to the public and may be used.

ffmpeg 7:5.1.6-0+deb12u1 (deb)

pkg:deb/debian/ffmpeg@7%3A5.1.6-0%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.244%`
EPSS Percentile	`48th percentile`

Description

FFmpeg n7.0 is affected by a Double Free via the rkmpp_retrieve_frame function within libavcodec/rkmppdec.c.

ffmpeg 7:7.1-3
FFmpeg/FFmpeg@4513300 (n7.1)
FFmpeg/FFmpeg@d45964a (n5.1.7)

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.244%`
EPSS Percentile	`48th percentile`

Description

FFmpeg n6.1.1 has an Out-of-bounds Read via libavcodec/ppc/vp8dsp_altivec.c, static const vec_s8 h_subpel_filters_outer

ffmpeg 7:7.0.1-3
FFmpeg/FFmpeg@09e6840 (n7.0)
FFmpeg/FFmpeg@1a874e6 (n5.1.7)

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.130%`
EPSS Percentile	`33rd percentile`

Description

Buffer Overflow vulnerability in Ffmpeg v.n6.1-3-g466799d4f5 allows a local attacker to execute arbitrary code via the ff_bwdif_filter_intra_c function in the libavfilter/bwdifdsp.c:125:5 component.

[experimental] - ffmpeg 7:7.0-1

ffmpeg 7:7.0.1-3
[buster] - ffmpeg (Pick up when fixed in most related branch)
FFmpeg/FFmpeg@737ede4 (n7.0)
FFmpeg/FFmpeg@8e6c82c (n5.1.7)
https://trac.ffmpeg.org/ticket/10688

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.089%`
EPSS Percentile	`26th percentile`

Description

A reachable assertion in FFmpeg git-master commit N-113007-g8d24a28d06 allows attackers to cause a Denial of Service (DoS) via opening a crafted AAC file.

ffmpeg 7:7.1.1-1
https://trac.ffmpeg.org/ticket/11385
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/1446e37d3d032e1452844778b3e6ba2c20f0c322
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/145a3a84550a1c3a3b848c12a64b53c3c41d2888 (n7.1.1)
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/a01eaecf6325cefab5b26e0d905df6662db37be1 (n5.1.7)

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.076%`
EPSS Percentile	`23rd percentile`

Description

Unchecked Return Value, Out-of-bounds Read vulnerability in FFmpeg allows Read Sensitive Constants Within an Executable. This vulnerability is associated with program files https://github.Com/FFmpeg/FFmpeg/blob/master/libavfilter/af_pan.C . This issue affects FFmpeg: 7.1. Issue was fixed: FFmpeg/FFmpeg@b5b6391 FFmpeg/FFmpeg@b5b6391 This issue was discovered by: Simcha Kosman

ffmpeg 7:7.1.1-1
Fixed by: FFmpeg/FFmpeg@b5b6391
Fixed by: FFmpeg/FFmpeg@b827ac4 (n7.1.1)
Fixed by: FFmpeg/FFmpeg@edfcade (n5.1.7)

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

FFmpeg version n6.1 was discovered to contain a heap buffer overflow vulnerability in the draw_block_rectangle function of libavfilter/vf_codecview.c. This vulnerability allows attackers to cause undefined behavior or a Denial of Service (DoS) via crafted input.

[experimental] - ffmpeg 7:7.0-1

ffmpeg 7:7.0.1-3
[bullseye] - ffmpeg (Vulnerable code not present)
[buster] - ffmpeg (Vulnerable code not present)
Fixed by FFmpeg/FFmpeg@99debe5 (n7.0)
Fixed by FFmpeg/FFmpeg@785a6df (n5.1.7)

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.025%`
EPSS Percentile	`5th percentile`

Description

FFmpeg v.n6.1-3-g466799d4f5 allows memory consumption when using the colorcorrect filter, in the av_malloc function in libavutil/mem.c:105:9 component.

[experimental] - ffmpeg 7:7.0-1

ffmpeg 7:7.0.1-3
[bullseye] - ffmpeg (Vulnerable code not present)
[buster] - ffmpeg (Vulnerable code not present)
FFmpeg/FFmpeg@5f87a68 (n7.0)
FFmpeg/FFmpeg@28a7db7 (n5.1.7)
https://trac.ffmpeg.org/ticket/10701

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.022%`
EPSS Percentile	`4th percentile`

Description

FFmpeg v.n6.1-3-g466799d4f5 allows an attacker to trigger use of a parameter of negative size in the av_samples_set_silence function in thelibavutil/samplefmt.c:260:9 component.

[experimental] - ffmpeg 7:7.0-1

ffmpeg 7:7.0.1-3
[bullseye] - ffmpeg (Vulnerable code not present)
[buster] - ffmpeg (Vulnerable code not present)
FFmpeg/FFmpeg@b194273 (n7.0)
FFmpeg/FFmpeg@3a8f94c (n5.1.7)
https://trac.ffmpeg.org/ticket/10700

Affected range	`>=7:5.1.6-0+deb12u1`
Fixed version	Not Fixed

Description

ffmpeg
[trixie] - ffmpeg (Minor issue, wait until it's fixed in the 7.1 branch)
[bullseye] - ffmpeg (Minor issue, wait until it's fixed in the 4.3 branch)
Introduced with: https://git.ffmpeg.org/gitweb/ffmpeg.git/object/dcfd24b10c7eaec4b7b1ec2c4abb46808721a71d
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/35a6de137a39f274d5e01ed0e0e6c4f04d0aaf07
Fixed by: https://git.ffmpeg.org/gitweb/ffmpeg.git/commitdiff/aad4b59cfee1f0a3cf02f5e2b1f291ce013bf27e (n5.1.7)

transformers 4.19.4 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Deserialization of Untrusted Data

Affected range	`<4.36.0`
Fixed version	`4.36.0`
CVSS Score	`9`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H`
EPSS Score	`0.161%`
EPSS Percentile	`38th percentile`

Description

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.0.

Deserialization of Untrusted Data

Affected range	`<4.48.0`
Fixed version	`4.48.0`
CVSS Score	`8.8`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
EPSS Score	`12.422%`
EPSS Percentile	`94th percentile`

Description

Hugging Face Transformers Trax Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25012.

Deserialization of Untrusted Data

Affected range	`<4.48.0`
Fixed version	`4.48.0`
CVSS Score	`8.8`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
EPSS Score	`42.469%`
EPSS Percentile	`97th percentile`

Description

Hugging Face Transformers MaskFormer Model Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of model files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25191.

Deserialization of Untrusted Data

Affected range	`<4.36.0`
Fixed version	`4.36.0`
CVSS Score	`7.8`
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H`
EPSS Score	`0.141%`
EPSS Percentile	`35th percentile`

Description

Deserialization of Untrusted Data in GitHub repository huggingface/transformers prior to 4.36.

Deserialization of Untrusted Data

Affected range	`<4.48.0`
Fixed version	`4.48.0`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H`
EPSS Score	`37.111%`
EPSS Percentile	`97th percentile`

Description

Hugging Face Transformers MobileViTV2 Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hugging Face Transformers. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of configuration files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-24322.

Inefficient Regular Expression Complexity

Affected range	`<4.53.0`
Fixed version	`4.53.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the convert_tf_weight_name_to_pt_weight_name() function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern /[^/]*___([^/]*)/ that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats.

Inefficient Regular Expression Complexity

Affected range	`<=4.51.3`
Fixed version	`4.52.1`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's token2json() method. This vulnerability affects versions 4.51.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern <s_(.*?)> which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model.

Inefficient Regular Expression Complexity

Affected range	`<4.51.0`
Fixed version	`4.51.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`0.057%`
EPSS Percentile	`18th percentile`

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_imports() function within dynamic_module_utils.py. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern \s*try\s*:.*?except.*?: used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption.

Inefficient Regular Expression Complexity

Affected range	`<4.51.0`
Fixed version	`4.51.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`0.057%`
EPSS Percentile	`18th percentile`

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the get_configuration_file() function within the transformers.configuration_utils module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern config\.(.*)\.json that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library.

Inefficient Regular Expression Complexity

Affected range	`<4.50.0`
Fixed version	`4.50.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`0.076%`
EPSS Percentile	`23rd percentile`

Description

A vulnerability in the preprocess_string() function of the transformers.testing_utils module in huggingface/transformers version v4.48.3 allows for a Regular Expression Denial of Service (ReDoS) attack. The regular expression used to process code blocks in docstrings contains nested quantifiers, leading to exponential backtracking when processing input with a large number of newline characters. An attacker can exploit this by providing a specially crafted payload, causing high CPU usage and potential application downtime, effectively resulting in a Denial of Service (DoS) scenario.

Inefficient Regular Expression Complexity

Affected range	`<4.48.0`
Fixed version	`4.48.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
EPSS Score	`0.152%`
EPSS Percentile	`37th percentile`

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_nougat_fast.py. The vulnerability occurs in the post_process_single() function, where a regular expression processes specially crafted input. The issue stems from the regex exhibiting exponential time complexity under certain conditions, leading to excessive backtracking. This can result in significantly high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.46.3.

Insecure Temporary File

Affected range	`<4.30.0`
Fixed version	`4.30.0`
CVSS Score	`4.7`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.015%`
EPSS Percentile	`2nd percentile`

Description

Insecure Temporary File in GitHub repository huggingface/transformers 4.29.2 and prior. A fix is available at commit 80ca92470938bbcc348e2d9cf4734c7c25cb1c43 and has been released as part of version 4.30.0.

Inefficient Regular Expression Complexity

Affected range	`<4.50.0`
Fixed version	`4.50.0`
CVSS Score	`4.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L`
EPSS Score	`0.059%`
EPSS Percentile	`18th percentile`

Description

A Regular Expression Denial of Service (ReDoS) vulnerability was identified in the huggingface/transformers library, specifically in the file tokenization_gpt_neox_japanese.py of the GPT-NeoX-Japanese model. The vulnerability occurs in the SubWordJapaneseTokenizer class, where regular expressions process specially crafted inputs. The issue stems from a regex exhibiting exponential complexity under certain conditions, leading to excessive backtracking. This can result in high CPU usage and potential application downtime, effectively creating a Denial of Service (DoS) scenario. The affected version is v4.48.1 (latest).

Improper Input Validation

Affected range	`<4.52.1`
Fixed version	`4.52.1`
CVSS Score	`3.5`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N`
EPSS Score	`0.069%`
EPSS Percentile	`22nd percentile`

Description

Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the image_utils.py file. The vulnerability arises from insecure URL validation using the startswith() method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1.

Deserialization of Untrusted Data

Affected range	`<4.38.0`
Fixed version	`4.38.0`
CVSS Score	`3.4`
CVSS Vector	`CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:L`
EPSS Score	`9.109%`
EPSS Percentile	`92nd percentile`

Description

The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the load_repo_checkpoint() function of the TFPreTrainedModel() class. Attackers can execute arbitrary code and commands by crafting a malicious serialized payload, exploiting the use of pickle.load() on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine.

pytorch-lightning 2.3.3 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Unrestricted Upload of File with Dangerous Type

Affected range	`<2.4.0`
Fixed version	`2.4.0`
CVSS Score	`9.1`
CVSS Vector	`CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H`
EPSS Score	`0.354%`
EPSS Percentile	`57th percentile`

Description

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

mbedtls 2.28.3-1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN).

mbedtls 3.6.4-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108791)
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-7.md

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.018%`
EPSS Percentile	`3rd percentile`

Description

Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery.

mbedtls 3.6.4-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108785)
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-1.md

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input.

mbedtls 3.6.4-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108786)
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-2.md

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.056%`
EPSS Percentile	`17th percentile`

Description

Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero.

mbedtls 3.6.4-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108790)
https://github.com/Mbed-TLS/mbedtls-docs/blob/main/security-advisories/mbedtls-security-advisory-2025-06-6.md

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.018%`
EPSS Percentile	`3rd percentile`

Description

An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.

mbedtls (unimportant)
No code fix, not a documentation change
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-08-1/

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.318%`
EPSS Percentile	`54th percentile`

Description

Mbed TLS 2.x before 2.28.5 and 3.x before 3.5.0 has a Buffer Overflow.

mbedtls (unimportant)
https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2023-10-1/
Vulnerability not present in default build and only present if compile-time
configuration enables vulnerable cipher suites. Debian does not enable
MBEDTLS_CIPHER_NULL_CIPHER and MBEDTLS_ARC4_C.

Affected range	`>=2.28.3-1`
Fixed version	Not Fixed
EPSS Score	`0.104%`
EPSS Percentile	`29th percentile`

Description

ARM mbedTLS version 2.7.0 and earlier contains a Ciphersuite Allows Incorrectly Signed Certificates vulnerability in mbedtls_ssl_get_verify_result() that can result in ECDSA-signed certificates are accepted, when only RSA-signed ones should be.. This attack appear to be exploitable via Peers negotiate a TLS-ECDH-RSA-* ciphersuite. Any of the peers can then provide an ECDSA-signed certificate, when only an RSA-signed one should be accepted..

mbedtls (unimportant)

polarssl (unimportant)
TLS-ECDH-RSA-* Ciphersuites Allow ECDSA Signed Certificates Mbed-TLS/mbedtls#1561
No security impact

setuptools 65.5.1 (pypi)

pkg:pypi/[email protected]

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range	`<78.1.1`
Fixed version	`78.1.1`
CVSS Score	`7.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P`
EPSS Score	`0.139%`
EPSS Percentile	`35th percentile`

Description

Summary

A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1

Details
    def _download_url(self, url, tmpdir):
        # Determine download filename
        #
        name, _fragment = egg_info_for_url(url)
        if name:
            while '..' in name:
                name = name.replace('..', '.').replace('\\', '_')
        else:
            name = "__downloaded__"  # default if URL has no path contents

        if name.endswith('.[egg.zip](http://egg.zip/)'):
            name = name[:-4]  # strip the extra .zip before download

 -->       filename = os.path.join(tmpdir, name)
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.

Risk Assessment

As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.

Impact

An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

References

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
pypa/setuptools#4946

Improper Control of Generation of Code ('Code Injection')

Affected range	`<70.0.0`
Fixed version	`70.0.0`
CVSS Score	`7.5`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.227%`
EPSS Percentile	`45th percentile`

Description

A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0.

protobuf 3.20.1 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Uncontrolled Recursion

Affected range	`<4.25.8`
Fixed version	`4.25.8`
CVSS Score	`8.2`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.024%`
EPSS Percentile	`5th percentile`

Description

Summary

Any project that uses Protobuf pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit.

Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team
[email protected]

Affected versions: This issue only affects the pure-Python implementation of protobuf-python backend. This is the implementation when PROTOCOL_BUFFERS_PYTHON_IMPLEMENTATION=python environment variable is set or the default when protobuf is used from Bazel or pure-Python PyPi wheels. CPython PyPi wheels do not use pure-Python by default.

This is a Python variant of a previous issue affecting protobuf-java.

Severity

This is a potential Denial of Service. Parsing nested protobuf data creates unbounded recursions that can be abused by an attacker.

Proof of Concept

For reproduction details, please refer to the unit tests decoder_test.py and message_test

Remediation and Mitigation

A mitigation is available now. Please update to the latest available versions of the following packages:

protobuf-python(4.25.8, 5.29.5, 6.31.1)

Improper Restriction of Operations within the Bounds of a Memory Buffer

Affected range	`>=3.20.0 <3.20.2`
Fixed version	`3.20.2`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
EPSS Score	`0.123%`
EPSS Percentile	`32nd percentile`

Description

Summary

A message parsing and memory management vulnerability in ProtocolBuffer’s C++ and Python implementations can trigger an out of memory (OOM) failure when processing a specially crafted message, which could lead to a denial of service (DoS) on services using the libraries.

Reporter: ClusterFuzz

Affected versions: All versions of C++ Protobufs (including Python) prior to the versions listed below.

Severity & Impact

As scored by google
Medium 5.7 - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Asscored byt NIST
High 7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

A small (~500 KB) malicious payload can be constructed which causes the running service to allocate more than 3GB of RAM.

Proof of Concept

For reproduction details, please refer to the unit test that identifies the specific inputs that exercise this parsing weakness.

Mitigation / Patching

Please update to the latest available versions of the following packages:

protobuf-cpp (3.18.3, 3.19.5, 3.20.2, 3.21.6)

protobuf-python (3.18.3, 3.19.5, 3.20.2, 4.21.6)

urllib3 1.26.13 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Exposure of Sensitive Information to an Unauthorized Actor

Affected range	`<1.26.17`
Fixed version	`1.26.17`
CVSS Score	`7.4`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N`
EPSS Score	`0.362%`
EPSS Percentile	`58th percentile`

Description

urllib3 doesn't treat the Cookie HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly.

Users must handle redirects themselves instead of relying on urllib3's automatic redirects to achieve safe processing of the Cookie header, thus we decided to strip the header by default in order to further protect users who aren't using the correct approach.

Affected usages

We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:

Using an affected version of urllib3 (patched in v1.26.17 and v2.0.6)

Using the Cookie header on requests, which is mostly typical for impersonating a browser.

Not disabling HTTP redirects

Either not using HTTPS or for the origin server to redirect to a malicious origin.

Remediation

Upgrading to at least urllib3 v1.26.17 or v2.0.6

Disabling HTTP redirects using redirects=False when sending requests.

Not using the Cookie header.

Exposure of Sensitive Information to an Unauthorized Actor

Affected range	`<1.26.18`
Fixed version	`1.26.18`
CVSS Score	`5.7`
CVSS Vector	`CVSS:4.0/AV:A/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N`
EPSS Score	`0.056%`
EPSS Percentile	`17th percentile`

Description

urllib3 previously wouldn't remove the HTTP request body when an HTTP redirect response using status 303 "See Other" after the request had its method changed from one that could accept a request body (like POST) to GET as is required by HTTP RFCs. Although the behavior of removing the request body is not specified in the section for redirects, it can be inferred by piecing together information from different sections and we have observed the behavior in other major HTTP client implementations like curl and web browsers.

From RFC 9110 Section 9.3.1:

A client SHOULD NOT generate content in a GET request unless it is made directly to an origin server that has previously indicated, in or out of band, that such a request has a purpose and will be adequately supported.

Affected usages

Because the vulnerability requires a previously trusted service to become compromised in order to have an impact on confidentiality we believe the exploitability of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request bodies, if this is the case then this vulnerability isn't exploitable.

Both of the following conditions must be true to be affected by this vulnerability:

If you're using urllib3 and submitting sensitive information in the HTTP request body (such as form data or JSON)

The origin service is compromised and starts redirecting using 303 to a malicious peer or the redirected-to service becomes compromised.

Remediation

You can remediate this vulnerability with any of the following steps:

Upgrade to a patched version of urllib3 (v1.26.18 or v2.0.7)

Disable redirects for services that you aren't expecting to respond with redirects with redirects=False.

Disable automatic redirects with redirects=False and handle 303 redirects manually by stripping the HTTP request body.

URL Redirection to Untrusted Site ('Open Redirect')

Affected range	`<2.5.0`
Fixed version	`2.5.0`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N`
EPSS Score	`0.013%`
EPSS Percentile	`1st percentile`

Description

urllib3 handles redirects and retries using the same mechanism, which is controlled by the Retry object. The most common way to disable redirects is at the request level, as follows:
resp = urllib3.request("GET", "https://httpbin.org/redirect/1", redirect=False)
print(resp.status)
# 302
However, it is also possible to disable redirects, for all requests, by instantiating a PoolManager and specifying retries in a way that disable redirects:
import urllib3

http = urllib3.PoolManager(retries=0)  # should raise MaxRetryError on redirect
http = urllib3.PoolManager(retries=urllib3.Retry(redirect=0))  # equivalent to the above
http = urllib3.PoolManager(retries=False)  # should return the first response

resp = http.request("GET", "https://httpbin.org/redirect/1")
However, the retries parameter is currently ignored, which means all the above examples don't disable redirects.

Affected usages

Passing retries on PoolManager instantiation to disable redirects or restrict their number.

By default, requests and botocore users are not affected.

Impact

Redirects are often used to exploit SSRF vulnerabilities. An application attempting to mitigate SSRF or open redirect vulnerabilities by disabling redirects at the PoolManager level will remain vulnerable.

Remediation

You can remediate this vulnerability with the following steps:

Upgrade to a patched version of urllib3. If your organization would benefit from the continued support of urllib3 1.x, please contact [email protected] to discuss sponsorship or contribution opportunities.

Disable redirects at the request() level instead of the PoolManager() level.

Incorrect Resource Transfer Between Spheres

Affected range	`<1.26.19`
Fixed version	`1.26.19`
CVSS Score	`4.4`
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N`
EPSS Score	`0.198%`
EPSS Percentile	`42nd percentile`

Description

When using urllib3's proxy support with ProxyManager, the Proxy-Authorization header is only sent to the configured proxy, as expected.

However, when sending HTTP requests without using urllib3's proxy support, it's possible to accidentally configure the Proxy-Authorization header even though it won't have any effect as the request is not using a forwarding proxy or a tunneling proxy. In those cases, urllib3 doesn't treat the Proxy-Authorization HTTP header as one carrying authentication material and thus doesn't strip the header on cross-origin redirects.

Because this is a highly unlikely scenario, we believe the severity of this vulnerability is low for almost all users. Out of an abundance of caution urllib3 will automatically strip the Proxy-Authorization header during cross-origin redirects to avoid the small chance that users are doing this on accident.

Users should use urllib3's proxy support or disable automatic redirects to achieve safe processing of the Proxy-Authorization header, but we still decided to strip the header by default in order to further protect users who aren't using the correct approach.

Affected usages

We believe the number of usages affected by this advisory is low. It requires all of the following to be true to be exploited:

Setting the Proxy-Authorization header without using urllib3's built-in proxy support.

Not disabling HTTP redirects.

Either not using an HTTPS origin server or for the proxy or target origin to redirect to a malicious origin.

Remediation

Using the Proxy-Authorization header with urllib3's ProxyManager.

Disabling HTTP redirects using redirects=False when sending requests.

Not using the Proxy-Authorization header.

certifi 2022.12.7 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Insufficient Verification of Data Authenticity

Affected range	`>=2015.4.28 <2023.7.22`
Fixed version	`2023.7.22`
CVSS Score	`7.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
EPSS Score	`0.112%`
EPSS Percentile	`30th percentile`

Description

Certifi 2023.07.22 removes root certificates from "e-Tugra" from the root store. These are in the process of being removed from Mozilla's trust store.

e-Tugra's root certificates are being removed pursuant to an investigation prompted by reporting of security issues in their systems. Conclusions of Mozilla's investigation can be found here.

Insufficient Verification of Data Authenticity

Affected range	`>=2021.5.30 <2024.7.4`
Fixed version	`2024.7.4`
EPSS Score	`21.233%`
EPSS Percentile	`95th percentile`

Description

Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store.

GLOBALTRUST's root certificates are being removed pursuant to an investigation which identified "long-running and unresolved compliance issues". Conclusions of Mozilla's investigation can be found here.

pam 1.5.2-6+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.5.2-6+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.023%`
EPSS Percentile	`4th percentile`

Description

A flaw was found in linux-pam. The module pam_namespace may use access user-controlled paths without proper protection, allowing local users to elevate their privileges to root via multiple symlink attacks and race conditions.

[experimental] - pam 1.7.0-4

pam 1.7.0-5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107919)
https://www.openwall.com/lists/oss-security/2025/06/17/1
GHSA-f9p8-gjr4-j9gx
Fixed by: linux-pam/linux-pam@475bd60 (v1.7.1)
Fixed by: linux-pam/linux-pam@592d84e (v1.7.1)
Fixed by: linux-pam/linux-pam@976c200 (v1.7.1)

setuptools 70.2.0 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Affected range	`<78.1.1`
Fixed version	`78.1.1`
CVSS Score	`7.7`
CVSS Vector	`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P`
EPSS Score	`0.139%`
EPSS Percentile	`35th percentile`

Description

Summary

A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1

Details
    def _download_url(self, url, tmpdir):
        # Determine download filename
        #
        name, _fragment = egg_info_for_url(url)
        if name:
            while '..' in name:
                name = name.replace('..', '.').replace('\\', '_')
        else:
            name = "__downloaded__"  # default if URL has no path contents

        if name.endswith('.[egg.zip](http://egg.zip/)'):
            name = name[:-4]  # strip the extra .zip before download

 -->       filename = os.path.join(tmpdir, name)
Here: https://github.com/pypa/setuptools/blob/6ead555c5fb29bc57fe6105b1bffc163f56fd558/setuptools/package_index.py#L810C1-L825C88

os.path.join() discards the first argument tmpdir if the second begins with a slash or drive letter.
name is derived from a URL without sufficient sanitization. While there is some attempt to sanitize by replacing instances of '..' with '.', it is insufficient.

Risk Assessment

As easy_install and package_index are deprecated, the exploitation surface is reduced.
However, it seems this could be exploited in a similar fashion like GHSA-r9hx-vwmv-q579, and as described by POC 4 in GHSA-cx63-2mw6-8hw5 report: via malicious URLs present on the pages of a package index.

Impact

An attacker would be allowed to write files to arbitrary locations on the filesystem with the permissions of the process running the Python code, which could escalate to RCE depending on the context.

References

https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5
pypa/setuptools#4946

gradio 5.42.0 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<2023-11-06`
Fixed version	Not Fixed
CVSS Score	`8.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N`
EPSS Score	`1.662%`
EPSS Percentile	`81st percentile`

Description

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.

gnutls28 3.7.9-2+deb12u4 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u4?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`<3.7.9-2+deb12u5`
Fixed version	`3.7.9-2+deb12u5`
EPSS Score	`0.057%`
EPSS Percentile	`18th percentile`

Description

A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite().

gnutls28 3.8.9-3
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
https://gitlab.com/gnutls/gnutls/-/issues/1718
Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/23135619773e6ec087ff2abc65405bd4d5676bad (3.8.10)

Affected range	`<3.7.9-2+deb12u5`
Fixed version	`3.7.9-2+deb12u5`
EPSS Score	`0.072%`
EPSS Percentile	`23rd percentile`

Description

A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system.

gnutls28 3.8.9-3
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
https://gitlab.com/gnutls/gnutls/-/issues/1696
Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/408bed40c36a4cc98f0c94a818f682810f731f32 (3.8.10)

Affected range	`<3.7.9-2+deb12u5`
Fixed version	`3.7.9-2+deb12u5`
EPSS Score	`0.057%`
EPSS Percentile	`18th percentile`

Description

A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior.

gnutls28 3.8.9-3
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
https://gitlab.com/gnutls/gnutls/-/issues/1694
Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/608829769cbc247679ffe98841109fc73875e573 (3.8.10)

Affected range	`<3.7.9-2+deb12u5`
Fixed version	`3.7.9-2+deb12u5`
EPSS Score	`0.026%`
EPSS Percentile	`5th percentile`

Description

A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly.

gnutls28 3.8.9-3
[bullseye] - gnutls28 (Vulnerable code introduced later)
https://lists.gnupg.org/pipermail/gnutls-help/2025-July/004883.html
https://gitlab.com/gnutls/gnutls/-/issues/1695
Introduced by: https://gitlab.com/gnutls/gnutls/-/commit/242abb6945cbb56c4a41c393d0253ea5b9d3a36a (3.7.3)
Fixed by: https://gitlab.com/gnutls/gnutls/-/commit/8e5ca951257202089246fa37e93a99d210ee5ca2 (3.8.10)

Affected range	`>=3.7.9-2+deb12u4`
Fixed version	Not Fixed
EPSS Score	`4.513%`
EPSS Percentile	`89th percentile`

Description

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

sun-java6 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645881)
[lenny] - sun-java6 (Non-free not supported)
[squeeze] - sun-java6 (Non-free not supported)

openjdk-6 6b23~pre11-1

openjdk-7 7~b147-2.0-1

iceweasel (Vulnerable code not present)
http://blog.mozilla.com/security/2011/09/27/attack-against-tls-protected-communications/

chromium-browser 15.0.874.106~r107270-1
[squeeze] - chromium-browser

lighttpd 1.4.30-1
strictly speaking this is no lighttpd issue, but lighttpd adds a workaround

curl 7.24.0-1
http://curl.haxx.se/docs/adv_20120124B.html

python2.6 2.6.8-0.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684511)
[squeeze] - python2.6 (Minor issue)

python2.7 2.7.3~rc1-1

python3.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=678998)
[squeeze] - python3.1 (Minor issue)

python3.2 3.2.3~rc1-1
http://bugs.python.org/issue13885
python3.1 is fixed starting 3.1.5

cyassl

gnutls26 (unimportant)

gnutls28 (unimportant)
No mitigation for gnutls, it is recommended to use TLS 1.1 or 1.2 which is supported since 2.0.0

haskell-tls (unimportant)
No mitigation for haskell-tls, it is recommended to use TLS 1.1, which is supported since 0.2

matrixssl (low)
[squeeze] - matrixssl (Minor issue)
[wheezy] - matrixssl (Minor issue)
matrixssl fix this upstream in 3.2.2

bouncycastle 1.49+dfsg-1
[squeeze] - bouncycastle (Minor issue)
[wheezy] - bouncycastle (Minor issue)
No mitigation for bouncycastle, it is recommended to use TLS 1.1, which is supported since 1.4.9

nss 3.13.1.with.ckbi.1.88-1
https://bugzilla.mozilla.org/show_bug.cgi?id=665814
https://hg.mozilla.org/projects/nss/rev/7f7446fcc7ab

polarssl (unimportant)
No mitigation for polarssl, it is recommended to use TLS 1.1, which is supported in all releases

tlslite
[wheezy] - tlslite (Minor issue)

pound 2.6-2
Pound 2.6-2 added an anti_beast.patch to mitigate BEAST attacks.

erlang 1:15.b-dfsg-1
[squeeze] - erlang (Minor issue)

asterisk 1:13.7.2dfsg-1
[jessie] - asterisk 1:11.13.1dfsg-2+deb8u1
[wheezy] - asterisk (Minor issue)
[squeeze] - asterisk (Not supported in Squeeze LTS)
http://downloads.digium.com/pub/security/AST-2016-001.html
https://issues.asterisk.org/jira/browse/ASTERISK-24972
patch for 11 (jessie): https://code.asterisk.org/code/changelog/asterisk?cs=f233bcd81d85626ce5bdd27b05bc95d131faf3e4
all versions vulnerable, backport required for wheezy

requests 2.28.1 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Exposure of Sensitive Information to an Unauthorized Actor

Affected range	`>=2.3.0 <2.31.0`
Fixed version	`2.31.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N`
EPSS Score	`6.121%`
EPSS Percentile	`90th percentile`

Description

Impact

Since Requests v2.3.0, Requests has been vulnerable to potentially leaking Proxy-Authorization headers to destination servers, specifically during redirects to an HTTPS origin. This is a product of how rebuild_proxies is used to recompute and reattach the Proxy-Authorization header to requests when redirected. Note this behavior has only been observed to affect proxied requests when credentials are supplied in the URL user information component (e.g. https://username:password@proxy:8080).

Current vulnerable behavior(s):

HTTP → HTTPS: leak

HTTPS → HTTP: no leak

HTTPS → HTTPS: leak

HTTP → HTTP: no leak

For HTTP connections sent through the proxy, the proxy will identify the header in the request itself and remove it prior to forwarding to the destination server. However when sent over HTTPS, the Proxy-Authorization header must be sent in the CONNECT request as the proxy has no visibility into further tunneled requests. This results in Requests forwarding the header to the destination server unintentionally, allowing a malicious actor to potentially exfiltrate those credentials.

The reason this currently works for HTTPS connections in Requests is the Proxy-Authorization header is also handled by urllib3 with our usage of the ProxyManager in adapters.py with proxy_manager_for. This will compute the required proxy headers in proxy_headers and pass them to the Proxy Manager, avoiding attaching them directly to the Request object. This will be our preferred option going forward for default usage.

Patches

Starting in Requests v2.31.0, Requests will no longer attach this header to redirects with an HTTPS destination. This should have no negative impacts on the default behavior of the library as the proxy credentials are already properly being handled by urllib3's ProxyManager.

For users with custom adapters, this may be potentially breaking if you were already working around this behavior. The previous functionality of rebuild_proxies doesn't make sense in any case, so we would encourage any users impacted to migrate any handling of Proxy-Authorization directly into their custom adapter.

Workarounds

For users who are not able to update Requests immediately, there is one potential workaround.

You may disable redirects by setting allow_redirects to False on all calls through Requests top-level APIs. Note that if you're currently relying on redirect behaviors, you will need to capture the 3xx response codes and ensure a new request is made to the redirect destination.
import requests
r = requests.get('http://github.com/', allow_redirects=False)
Credits

This vulnerability was discovered and disclosed by the following individuals.

Dennis Brinkrolf, Haxolot (https://haxolot.com/)
Tobias Funke, ([email protected])

Always-Incorrect Control Flow Implementation

Affected range	`<2.32.0`
Fixed version	`2.32.0`
CVSS Score	`5.6`
CVSS Vector	`CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N`
EPSS Score	`0.046%`
EPSS Percentile	`13th percentile`

Description

When making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same origin will continue to ignore cert verification regardless of changes to the value of verify. This behavior will continue for the lifecycle of the connection in the connection pool.

Remediation

Any of these options can be used to remediate the current issue, we highly recommend upgrading as the preferred mitigation.

Upgrade to requests>=2.32.0.

For requests<2.32.0, avoid setting verify=False for the first request to a host while using a Requests Session.

For requests<2.32.0, call close() on Session objects to clear existing connections if verify=False is used.

Related Links

Use TLS settings in selecting connection pool psf/requests#6655

Insufficiently Protected Credentials

Affected range	`<2.32.4`
Fixed version	`2.32.4`
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N`
EPSS Score	`0.028%`
EPSS Percentile	`6th percentile`

Description

Impact

Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs.

Workarounds

For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs).

References

psf/requests#6965
https://seclists.org/fulldisclosure/2025/Jun/2

jinja2 3.1.4 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Improper Neutralization of Special Elements Used in a Template Engine

Affected range	`<=3.1.5`
Fixed version	`3.1.6`
CVSS Score	`5.4`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.048%`
EPSS Percentile	`14th percentile`

Description

An oversight in how the Jinja sandboxed environment interacts with the |attr filter allows an attacker that controls the content of a template to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter no longer bypasses the environment's attribute lookup.

Protection Mechanism Failure

Affected range	`<=3.1.4`
Fixed version	`3.1.5`
CVSS Score	`5.4`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.043%`
EPSS Percentile	`12th percentile`

Description

An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code.

To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates.

Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox.

Improper Neutralization of Escape, Meta, or Control Sequences

Affected range	`>=3.0.0 <=3.1.4`
Fixed version	`3.1.5`
CVSS Score	`5.4`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.019%`
EPSS Percentile	`3rd percentile`

Description

A bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used.

To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename.

tiff 4.5.0-6+deb12u2 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.015%`
EPSS Percentile	`2nd percentile`

Description

A vulnerability was identified in LibTIFF 4.7.0. This issue affects the function May of the file tiffcrop.c of the component tiffcrop. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used.

tiff (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111317)
https://gitlab.com/libtiff/libtiff/-/issues/721

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue.

tiff (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1111323)
https://gitlab.com/libtiff/libtiff/-/issues/649
https://gitlab.com/libtiff/libtiff/-/issues/650
https://gitlab.com/libtiff/libtiff/-/merge_requests/667
https://gitlab.com/libtiff/libtiff/-/commit/7be20ccaab97455f192de0ac561ceda7cd9e12d1
https://gitlab.com/libtiff/libtiff/-/commit/2ebfffb0e8836bfb1cd7d85c059cd285c59761a4

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.013%`
EPSS Percentile	`1st percentile`

Description

A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue.

tiff 4.7.0-1 (unimportant)
https://gitlab.com/libtiff/libtiff/-/commit/8a7a48d7a645992ca83062b3a1873c951661e2b3 (v4.7.0rc1)
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used."

tiff (unimportant)
https://gitlab.com/libtiff/libtiff/-/issues/718
https://gitlab.com/libtiff/libtiff/-/merge_requests/746
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer.

tiff (unimportant)
https://gitlab.com/libtiff/libtiff/-/issues/715
https://gitlab.com/libtiff/libtiff/-/merge_requests/737
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue.

tiff (unimportant)
https://gitlab.com/libtiff/libtiff/-/issues/707
https://gitlab.com/libtiff/libtiff/-/merge_requests/727
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.043%`
EPSS Percentile	`12th percentile`

Description

REJECTED

REJECTED

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

An issue was found in the tiffcp utility distributed by the libtiff package where a crafted TIFF file on processing may cause a heap-based buffer overflow leads to an application crash.

tiff (unimportant)
https://gitlab.com/libtiff/libtiff/-/issues/606
Fixed by: https://gitlab.com/libtiff/libtiff/-/commit/1e7d217a323eac701b134afc4ae39b6bdfdbc96a
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file.

tiff (unimportant)
https://gitlab.com/libtiff/libtiff/-/issues/542
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.017%`
EPSS Percentile	`2nd percentile`

Description

A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff versions 4.x.

tiff (unimportant)
https://gitlab.com/libtiff/libtiff/-/issues/536
https://gitlab.com/libtiff/libtiff/-/issues/537
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.038%`
EPSS Percentile	`10th percentile`

Description

A vulnerability classified as problematic was found in LibTIFF 4.3.0. Affected by this vulnerability is the TIFF File Handler of tiff2ps. Opening a malicious file leads to a denial of service. The attack can be launched remotely but requires user interaction. The exploit has been disclosed to the public and may be used.

tiff (unimportant)
[bullseye] - tiff (Minor issue)
[buster] - tiff (Minor issue)
https://gitlab.com/libtiff/libtiff/-/issues/402
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.456%`
EPSS Percentile	`63rd percentile`

Description

ijg-libjpeg before 9d, as used in tiff2pdf (from LibTIFF) and other products, does not check for a NULL pointer at a certain place in jpeg_fdct_16x16 in jfdctint.c.

tiff (unimportant)
http://bugzilla.maptools.org/show_bug.cgi?id=2786
Crash in CLI tool, no security impact

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.098%`
EPSS Percentile	`28th percentile`

Description

In LibTIFF 4.0.6 and possibly other versions, the program processes BMP images without verifying that biWidth and biHeight in the bitmap-information header match the actual input, as demonstrated by a heap-based buffer over-read in bmp2tiff. NOTE: mentioning bmp2tiff does not imply that the activation point is in the bmp2tiff.c file (which was removed before the 4.0.7 release).

tiff (unimportant)

tiff3 (Does not ship libtiff-tools)
http://bugzilla.maptools.org/show_bug.cgi?id=2690
bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.457%`
EPSS Percentile	`63rd percentile`

Description

LibTIFF version 4.0.7 is vulnerable to a heap-based buffer over-read in tif_lzw.c resulting in DoS or code execution via a crafted bmp image to tools/bmp2tiff.

tiff (unimportant)
http://bugzilla.maptools.org/show_bug.cgi?id=2664
bmp2tiff utility removed in 4.0.6-3 and 4.0.3-12.3+deb8u2

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.419%`
EPSS Percentile	`61st percentile`

Description

In LibTIFF 4.0.8, there is a heap-based use-after-free in the t2p_writeproc function in tiff2pdf.c. NOTE: there is a third-party report of inability to reproduce this issue

tiff (unimportant)

tiff3 (unimportant)
http://bugzilla.maptools.org/show_bug.cgi?id=2769
Details on the issue are not confirmed by the reporter after several attempts
and this does like a non-issue. More reprodicibly reports are from SUSE in
https://bugzilla.suse.com/show_bug.cgi?id=1074318#c5 claiming this might be
a duplicate of CVE-2017-9935. Unless the reporter provides more details on
upstream report go and consider this as non-issue.

Affected range	`>=4.5.0-6+deb12u2`
Fixed version	Not Fixed
EPSS Score	`1.738%`
EPSS Percentile	`82nd percentile`

Description

LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow attackers to cause a denial of service (memory consumption), as demonstrated by tif_open.c, tif_lzw.c, and tif_aux.c. NOTE: Third parties were unable to reproduce the issue

tiff (unimportant)
http://seclists.org/oss-sec/2017/q4/168
Related commit: https://gitlab.com/libtiff/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0
This is actually only a partial fix, but upstream will not fix it completely.
The related commit is included in 4.0.9. The underlying memory-based DOS
would still be present.

Affected range	`>=4.5.0-6`
Fixed version	Not Fixed

Description

REJECTED

REJECTED

Affected range	`>=4.5.0-6`
Fixed version	Not Fixed

Description

REJECTED

REJECTED

tar 1.34+dfsg-1.2+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdfsg-1.2%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.34+dfsg-1.2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.041%`
EPSS Percentile	`11th percentile`

Description

GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages).

Disputed tar issue, works as documented per upstream:
https://lists.gnu.org/archive/html/bug-tar/2025-08/msg00012.html
https://github.com/i900008/vulndb/blob/main/Gnu_tar_vuln.md

Affected range	`>=1.34+dfsg-1.2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`3.250%`
EPSS Percentile	`87th percentile`

Description

Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.

This is intended behaviour, after all tar is an archiving tool and you
need to give -p as a command line flag

tar (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=328228; unimportant)

sqlite3 3.40.1-2+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=3.40.1-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.029%`
EPSS Percentile	`6th percentile`

Description

An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.

sqlite3 3.42.0-1
https://sqlite.org/forum/forumpost/16ce2bb7a639e29b
https://sqlite.org/src/info/12ad822d9b827777

Affected range	`>=3.40.1-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.205%`
EPSS Percentile	`43rd percentile`

Description

A Memory Leak vulnerability exists in SQLite Project SQLite3 3.35.1 and 3.37.0 via maliciously crafted SQL Queries (made via editing the Database File), it is possible to query a record, and leak subsequent bytes of memory that extend beyond the record, which could let a malicious user obtain sensitive information. NOTE: The developer disputes this as a vulnerability stating that If you give SQLite a corrupted database file and submit a query against the database, it might read parts of the database that you did not intend or expect.

sqlite3 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005974)

sqlite (unimportant)
https://github.com/guyinatuxedo/sqlite3_record_leaking
https://bugzilla.redhat.com/show_bug.cgi?id=2054793
https://sqlite.org/forum/forumpost/056d557c2f8c452ed5bb9c215414c802b215ce437be82be047726e521342161e
Negligible security impact

idna 3.4 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Uncontrolled Resource Consumption

Affected range	`<3.7`
Fixed version	`3.7`
CVSS Score	`6.9`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N`
EPSS Score	`0.347%`
EPSS Percentile	`57th percentile`

Description

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

https://huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadb

basicsr 1.4.2 (pypi)

pkg:pypi/[email protected]

# Dockerfile (41:41)
COPY --from=builder --chown=app:app /app/.venv /app/.venv

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected range	`<=1.4.2`
Fixed version	Not Fixed
CVSS Score	`5.3`
CVSS Vector	`CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L`
EPSS Score	`0.078%`
EPSS Percentile	`24th percentile`

Description

XPixelGroup BasicSR through 1.4.2 might locally allow code execution in contrived situations where "scontrol show hostname" is executed in the presence of a crafted SLURM_NODELIST environment variable.

libssh 0.10.6-0+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=0.10.6-0+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.013%`
EPSS Percentile	`1st percentile`

Description

A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash.

libssh (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109860)
[bullseye] - libssh (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=2383220
TODO: check upstream details

pip 23.0.1 (pypi)

pkg:pypi/[email protected]

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Affected range	`<23.3`
Fixed version	`23.3`
CVSS Score	`6.8`
CVSS Vector	`CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N`
EPSS Score	`0.044%`
EPSS Percentile	`12th percentile`

Description

When installing a package from a Mercurial VCS URL, e.g. pip install hg+..., with pip prior to v23.3, the specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone call (e.g. --config). Controlling the Mercurial configuration can modify how and which repository is installed. This vulnerability does not affect users who aren't installing from Mercurial.

openjpeg2 2.5.0-2+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.566%`
EPSS Percentile	`67th percentile`

Description

An issue was discovered in OpenJPEG 2.3.0. A heap-based buffer overflow was discovered in the function t2_encode_packet in lib/openmj2/t2.c. The vulnerability causes an out-of-bounds write, which may lead to remote denial of service or possibly unspecified other impact.

openjpeg2 (unimportant)
Potential heap-based buffer overflow in function t2_encode_packet in src/lib/openmj2/t2.c uclouvain/openjpeg#1127
We build with -DBUILD_MJ2:BOOL=OFF

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.352%`
EPSS Percentile	`57th percentile`

Description

An infinite loop vulnerability in tiftoimage that results in heap buffer overflow in convert_32s_C1P1 was found in openjpeg 2.1.2.

openjpeg2 (unimportant)
Out-of-Bounds Write issue can occur in function convert_32s_C1P1 (openjpeg-2.1.2/src/bin/jp2/convert.c:153) uclouvain/openjpeg#872
Fixed by: szukw000/openjpeg@cadff5f
not built into the binary packages

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.396%`
EPSS Percentile	`60th percentile`

Description

An integer overflow vulnerability was found in tiftoimage function in openjpeg 2.1.2, resulting in heap buffer overflow.

openjpeg2 (unimportant)
Out-of-Bounds Write issue caused by integer overflow that can occur in function convert_8u32s_C1R()(openjpeg-2.1.2/src/bin/jp2/convert.c:368). uclouvain/openjpeg#871
Fixed by: szukw000/openjpeg@cadff5f
not built into the binary packages

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.357%`
EPSS Percentile	`57th percentile`

Description

NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844556)
NULL Pointer Access in function imagetopnm of convert.c(jp2):1289 uclouvain/openjpeg#860
No code injection, function only exposed in the CLI tool

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.357%`
EPSS Percentile	`57th percentile`

Description

NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844555)
NULL Pointer Access in function imagetopnm of convert.c:2226(jp2) uclouvain/openjpeg#859
No code injection, function only exposed in the CLI tool

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.374%`
EPSS Percentile	`58th percentile`

Description

Heap Buffer Over-read in function imagetotga of convert.c(jp2):942 in OpenJPEG 2.1.2. Impact is Denial of Service. Someone must open a crafted j2k file.

openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844554)
Heap Buffer Overflow in function imagetotga of convert.c(jp2):942 uclouvain/openjpeg#858
No code injection, function only exposed in the CLI tool

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.607%`
EPSS Percentile	`69th percentile`

Description

There is a NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) of OpenJPEG 2.1.2. image->comps[compno].data is not assigned a value after initialization(NULL). Impact is Denial of Service.

openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844553)
NULL Pointer Access in function imagetopnm of convert.c:1943(jp2) uclouvain/openjpeg#857
No code injection, function only exposed in the CLI tool

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.448%`
EPSS Percentile	`63rd percentile`

Description

There is a NULL pointer dereference in function imagetobmp of convertbmp.c:980 of OpenJPEG 2.1.2. image->comps[0].data is not assigned a value after initialization(NULL). Impact is Denial of Service.

openjpeg2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=844552)
NULL point dereference in function imagetobmp of convertbmp.c uclouvain/openjpeg#856
No code injection, function only exposed in the CLI tool

Affected range	`>=2.5.0-2+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.656%`
EPSS Percentile	`70th percentile`

Description

NULL pointer dereference vulnerabilities in the imagetopnm function in convert.c, sycc444_to_rgb function in color.c, color_esycc_to_rgb function in color.c, and sycc422_to_rgb function in color.c in OpenJPEG before 2.2.0 allow remote attackers to cause a denial of service (application crash) via crafted j2k files.

openjpeg2 (unimportant)
[CVE-2016-10505] Null Pointer Access in function imagetopnm of convert.c uclouvain/openjpeg#776
[CVE-2016-10505] Null Pointer Access in function sycc444_to_rgb of color.c uclouvain/openjpeg#784
[CVE-2016-10505] Null Pointer Access in function color_esycc_to_rgb of color.c uclouvain/openjpeg#785
[CVE-2016-10505] Null Pointer Access in function sycc422_to_rgb of color.c uclouvain/openjpeg#792

llvm-toolchain-15 1:15.0.6-4 (deb)

pkg:deb/debian/llvm-toolchain-15@1%3A15.0.6-4?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.103%`
EPSS Percentile	`29th percentile`

Description

LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production."

llvm-toolchain-14 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070384; unimportant)

llvm-toolchain-15 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070383; unimportant)

llvm-toolchain-16 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070382; unimportant)

llvm-toolchain-17 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070381; unimportant)

llvm-toolchain-18 1:18.1.3-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070380; unimportant)
[Bug][Clang][ARM] Wrong assembly code generation, "LR" corrupted. llvm/llvm-project#80287
https://bugs.chromium.org/p/llvm/issues/detail?id=69
llvmbot/llvm-project@0e16af8
Negligible security impact

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.031%`
EPSS Percentile	`7th percentile`

Description

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::Type::isa<mlir::LLVM::LLVMVoidType.

llvm-toolchain-13 (unimportant)

llvm-toolchain-14 (unimportant)

llvm-toolchain-15 (unimportant)
[mlir] Convert-spirv-to-llvm Pass trigger Segmentation fault in LLVMStructType verifier llvm/llvm-project#59990
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.024%`
EPSS Percentile	`5th percentile`

Description

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component matchAndRewriteSortOpmlir::sparse_tensor::SortOp(mlir::sparse_tensor::SortOp.

llvm-toolchain-13 (unimportant)

llvm-toolchain-14 (unimportant)

llvm-toolchain-15 (unimportant)
[mlir] Sparse-buffer-rewrite pass crashes with Segmentation fault llvm/llvm-project#59988
llvm/llvm-project@9a29d87
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.019%`
EPSS Percentile	`3rd percentile`

Description

llvm-project commit a0138390 was discovered to contain a segmentation fault via the component mlir::spirv::TargetEnv::TargetEnv(mlir::spirv::TargetEnvAttr).

llvm-toolchain-13 1:13.0.1-12 (unimportant)

llvm-toolchain-14 1:14.0.6-13 (unimportant)

llvm-toolchain-15 1:15.0.7-7 (unimportant)
[mlir] spirv-lower-abi-attrs crashes with segmentation faults llvm/llvm-project#59983
llvm/llvm-project@466aa58
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.031%`
EPSS Percentile	`7th percentile`

Description

llvm-project commit a0138390 was discovered to contain an assertion failure at !replacements.count(op) && "operation was already replaced.

llvm-toolchain-13 (unimportant)

llvm-toolchain-14 (unimportant)

llvm-toolchain-15 (unimportant)
[mlir] gpu-to-llvm Pass crashed with error message "Assertion failed: (!replacements.count(op) && "operation was already replaced")" llvm/llvm-project#59182
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.020%`
EPSS Percentile	`3rd percentile`

Description

llvm-project commit 6c01b5c was discovered to contain a segmentation fault via the component mlir::Type::getDialect().

llvm-toolchain-13 1:13.0.1-12 (unimportant)

llvm-toolchain-14 1:14.0.6-13 (unimportant)

llvm-toolchain-15 1:15.0.7-7 (unimportant)
[mlir] convert-scf-to-spirv Pass crashed with segmentation fault llvm/llvm-project#59136
llvm/llvm-project@80d5400
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.020%`
EPSS Percentile	`3rd percentile`

Description

llvm-project commit bd456297 was discovered to contain a segmentation fault via the component mlir::Block::getArgument.

llvm-toolchain-13 (unimportant)

llvm-toolchain-14 (unimportant)

llvm-toolchain-15 1:15.0.7-7 (unimportant)
[mlir] One shot bufferize crashed with segmentation fault. llvm/llvm-project#59442
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.020%`
EPSS Percentile	`3rd percentile`

Description

llvm-project commit fdbc55a5 was discovered to contain a segmentation fault via the component mlir::IROperand<mlir::OpOperand.

llvm-toolchain-13 1:13.0.1-12 (unimportant)

llvm-toolchain-14 1:14.0.6-13 (unimportant)

llvm-toolchain-15 1:15.0.7-7 (unimportant)
[mlir] canonicalize pass crashed with segmentation fault llvm/llvm-project#58745
llvm/llvm-project@d35fcf0
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

Affected range	`>=1:15.0.6-4`
Fixed version	Not Fixed
EPSS Score	`0.025%`
EPSS Percentile	`5th percentile`

Description

LLVM a0dab4950 has a segmentation fault in mlir::outlineSingleBlockRegion. NOTE: third parties dispute this because the LLVM security policy excludes "Language front-ends ... for which a malicious input file can cause undesirable behavior."

llvm-toolchain-14 (unimportant)

llvm-toolchain-15 (unimportant)
Negligible security impact, also see https://llvm.org/docs/Security.html#what-is-considered-a-security-issue

glibc 2.36-9+deb12u10 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u10?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`0.164%`
EPSS Percentile	`38th percentile`

Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(|)(\1\1)*' in grep, a different issue than CVE-2018-20796. NOTE: the software maintainer disputes that this is a vulnerability because the behavior occurs only with a crafted pattern

glibc (unimportant)

eglibc (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=24269

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`0.235%`
EPSS Percentile	`46th percentile`

Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may guess the heap addresses of pthread_created thread. The component is: glibc. NOTE: the vendor's position is "ASLR bypass itself is not a vulnerability.

glibc (unimportant)
Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22853

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`0.391%`
EPSS Percentile	`59th percentile`

Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass ASLR using cache of thread stack and heap. The component is: glibc. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

glibc (unimportant)
Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22852

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`0.703%`
EPSS Percentile	`71st percentile`

Description

GNU Libc current is affected by: Re-mapping current loaded library with malicious ELF file. The impact is: In worst case attacker may evaluate privileges. The component is: libld. The attack vector is: Attacker sends 2 ELF files to victim and asks to run ldd on it. ldd execute code. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

glibc (unimportant)
Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22851

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`0.145%`
EPSS Percentile	`36th percentile`

Description

GNU Libc current is affected by: Mitigation bypass. The impact is: Attacker may bypass stack guard protection. The component is: nptl. The attack vector is: Exploit stack buffer overflow vulnerability and use this bypass vulnerability to bypass stack guard. NOTE: Upstream comments indicate "this is being treated as a non-security bug and no real threat.

glibc (unimportant)
Not treated as a security issue by upstream
https://sourceware.org/bugzilla/show_bug.cgi?id=22850

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`2.410%`
EPSS Percentile	`84th percentile`

Description

In the GNU C Library (aka glibc or libc6) through 2.29, check_dst_limits_calc_pos_1 in posix/regexec.c has Uncontrolled Recursion, as demonstrated by '(\227|)(\1\1|t1|\\2537)+' in grep.

glibc (unimportant)

eglibc (unimportant)
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34141
https://lists.gnu.org/archive/html/bug-gnulib/2019-01/msg00108.html
No treated as vulnerability: https://sourceware.org/glibc/wiki/Security%20Exceptions

Affected range	`>=2.36-9+deb12u10`
Fixed version	Not Fixed
EPSS Score	`0.373%`
EPSS Percentile	`58th percentile`

Description

The glob implementation in the GNU C Library (aka glibc or libc6) allows remote authenticated users to cause a denial of service (CPU and memory consumption) via crafted glob expressions that do not match any pathnames, as demonstrated by glob expressions in STAT commands to an FTP daemon, a different vulnerability than CVE-2010-2632.

glibc (unimportant)

eglibc (unimportant)
That's standard POSIX behaviour implemented by (e)glibc. Applications using
glob need to impose limits for themselves

elfutils 0.188-2.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.065%`
EPSS Percentile	`20th percentile`

Description

A vulnerability, which was classified as problematic, has been found in GNU elfutils 0.192. This issue affects the function gelf_getsymshndx of the file strip.c of the component eu-strip. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is fbf1df9ca286de3323ae541973b08449f8d03aba. It is recommended to apply a patch to fix this issue.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=32673
https://sourceware.org/git/?p=elfutils.git;a=fbf1df9ca286de3323ae541973b08449f8d03aba
Crash in CLI tool, considered only to be a normal bug by upstream

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.048%`
EPSS Percentile	`14th percentile`

Description

A vulnerability classified as problematic was found in GNU elfutils 0.192. This vulnerability affects the function elf_strptr in the library /libelf/elf_strptr.c of the component eu-strip. The manipulation leads to denial of service. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is b16f441cca0a4841050e3215a9f120a6d8aea918. It is recommended to apply a patch to fix this issue.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=32672
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b16f441cca0a4841050e3215a9f120a6d8aea918
Crash in CLI tool, considered only to be a normal bug by upstream

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.031%`
EPSS Percentile	`7th percentile`

Description

A vulnerability was found in GNU elfutils 0.192. It has been declared as critical. Affected by this vulnerability is the function dump_data_section/print_string_section of the file readelf.c of the component eu-readelf. The manipulation of the argument z/x leads to buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The identifier of the patch is 73db9d2021cab9e23fd734b0a76a612d52a6f1db. It is recommended to apply a patch to fix this issue.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=32656
https://sourceware.org/bugzilla/show_bug.cgi?id=32657
https://sourceware.org/git/?p=elfutils.git;a=commit;h=73db9d2021cab9e23fd734b0a76a612d52a6f1db
Crash in CLI tool, considered only to be a normal bug by upstream

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.029%`
EPSS Percentile	`6th percentile`

Description

A vulnerability has been found in GNU elfutils 0.192 and classified as problematic. This vulnerability affects the function handle_dynamic_symtab of the file readelf.c of the component eu-read. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is identified as b38e562a4c907e08171c76b8b2def8464d5a104a. It is recommended to apply a patch to fix this issue.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=32655
https://sourceware.org/git/?p=elfutils.git;a=commit;h=b38e562a4c907e08171c76b8b2def8464d5a104a
Crash in CLI tool, considered only to be a normal bug by upstream

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.027%`
EPSS Percentile	`6th percentile`

Description

A vulnerability, which was classified as critical, was found in GNU elfutils 0.192. This affects the function process_symtab of the file readelf.c of the component eu-readelf. The manipulation of the argument D/a leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier of the patch is 5e5c0394d82c53e97750fe7b18023e6f84157b81. It is recommended to apply a patch to fix this issue.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=32654
https://sourceware.org/git/?p=elfutils.git;a=commit;h=5e5c0394d82c53e97750fe7b18023e6f84157b81
Crash in CLI tool, considered only to be a normal bug by upstream

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.135%`
EPSS Percentile	`34th percentile`

Description

A vulnerability has been found in GNU elfutils 0.192 and classified as critical. This vulnerability affects the function __libdw_thread_tail in the library libdw_alloc.c of the component eu-readelf. The manipulation of the argument w leads to memory corruption. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 2636426a091bd6c6f7f02e49ab20d4cdc6bfc753. It is recommended to apply a patch to fix this issue.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=32650
Fixed by: https://sourceware.org/git/?p=elfutils.git;a=2636426a091bd6c6f7f02e49ab20d4cdc6bfc753
Crash in CLI tool, considered only to be a normal bug by upstream

Affected range	`>=0.188-2.1`
Fixed version	Not Fixed
EPSS Score	`0.021%`
EPSS Percentile	`4th percentile`

Description

elfutils v0.189 was discovered to contain a NULL pointer dereference via the handle_verdef() function at readelf.c.

elfutils (unimportant)
https://sourceware.org/bugzilla/show_bug.cgi?id=31058
https://sourceware.org/git/?p=elfutils.git;a=commit;h=373f5212677235fc3ca6068b887111554790f944
Crash in CLI tool, considered only to be a normal bug by upstream

mesa 22.3.6-1+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=22.3.6-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.162%`
EPSS Percentile	`38th percentile`

Description

Mesa 23.0.4 was discovered to contain a NULL pointer dereference in check_xshm() for the has_error state. NOTE: this is disputed because there is no scenario in which the vulnerability was demonstrated.

mesa (unimportant)
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9859
Disputed and no reasonable security impact proven

Affected range	`>=22.3.6-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.060%`
EPSS Percentile	`19th percentile`

Description

glx_pbuffer.c in Mesa 23.0.4 was discovered to contain a segmentation violation when calling __glXGetDrawableAttribute(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server.

mesa (unimportant)
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9857
Negligible security impact

Affected range	`>=22.3.6-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.056%`
EPSS Percentile	`17th percentile`

Description

Mesa 23.0.4 was discovered to contain a buffer over-read in glXQueryServerString(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server.

mesa (unimportant)
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9858
Negligible (and disputed) security impact

Affected range	`>=22.3.6-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.017%`
EPSS Percentile	`2nd percentile`

Description

Mesa v23.0.4 was discovered to contain a NULL pointer dereference via the function dri2GetGlxDrawableFromXDrawableId(). This vulnerability is triggered when the X11 server sends an DRI2_BufferSwapComplete event unexpectedly when the application is using DRI3. NOTE: this is disputed because there is no scenario in which the vulnerability was demonstrated.

mesa (unimportant)
https://gitlab.freedesktop.org/mesa/mesa/-/issues/9856
Negligible (and disputed) security impact

systemd 252.38-1~deb12u1 (deb)

pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=252.36-1~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.094%`
EPSS Percentile	`27th percentile`

Description

An issue was discovered in systemd 253. An attacker can modify the contents of past events in a sealed log file and then adjust the file such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

systemd (unimportant)
Disputed by upstream
https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf

Affected range	`>=252.36-1~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.100%`
EPSS Percentile	`28th percentile`

Description

An issue was discovered in systemd 253. An attacker can truncate a sealed log file and then resume log sealing such that checking the integrity shows no error, despite modifications. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

systemd (unimportant)
Disputed by upstream
https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf

Affected range	`>=252.36-1~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.128%`
EPSS Percentile	`33rd percentile`

Description

An issue was discovered in systemd 253. An attacker can modify a sealed log file such that, in some views, not all existing and sealed log messages are displayed. NOTE: the vendor reportedly sent "a reply denying that any of the finding was a security vulnerability."

systemd (unimportant)
Disputed by upstream
https://github.com/kastel-security/Journald/blob/main/journald-publication.pdf

Affected range	`>=252.36-1~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.067%`
EPSS Percentile	`21st percentile`

Description

systemd, when updating file permissions, allows local users to change the permissions and SELinux security contexts for arbitrary files via a symlink attack on unspecified files.

systemd (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=725357)
[wheezy] - systemd (/etc/tmpfiles.d not supported in Wheezy)
https://bugzilla.redhat.com/show_bug.cgi?id=859060
only relevant to systems running systemd along with selinux

krb5 1.20.1-2+deb12u3 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.20.1-2+deb12u3`
Fixed version	Not Fixed
EPSS Score	`0.084%`
EPSS Percentile	`25th percentile`

Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.

krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant)
https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_2.md
Fixed by: krb5/krb5@c5f9c81
Codepath cannot be triggered via API calls, negligible security impact
https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html

Affected range	`>=1.20.1-2+deb12u3`
Fixed version	Not Fixed
EPSS Score	`0.212%`
EPSS Percentile	`44th percentile`

Description

Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c.

krb5 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098754; unimportant)
https://github.com/LuMingYinDetect/krb5_defects/blob/main/krb5_detect_1.md
Fixed by: krb5/krb5@c5f9c81
Unused codepath, negligible security impact
https://mailman.mit.edu/pipermail/kerberos/2024-March/023095.html

Affected range	`>=1.20.1-2+deb12u3`
Fixed version	Not Fixed
EPSS Score	`0.463%`
EPSS Percentile	`63rd percentile`

Description

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.

krb5 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889684)
https://github.com/poojamnit/Kerberos-V5-1.16-Vulnerabilities/tree/master/Integer%20Overflow
non-issue, codepath is only run on trusted input, potential integer
overflow is non-issue

slang2 2.3.3-3 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.3.3-3`
Fixed version	Not Fixed
EPSS Score	`0.203%`
EPSS Percentile	`43rd percentile`

Description

S-Lang 2.3.2 was discovered to contain a segmentation fault via the function fixup_tgetstr().

slang2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068144)
http://lists.jedsoft.org/lists/slang-users/2023/0000002.html
Negligible security impact

Affected range	`>=2.3.3-3`
Fixed version	Not Fixed
EPSS Score	`0.265%`
EPSS Percentile	`50th percentile`

Description

S-Lang 2.3.2 was discovered to contain an arithmetic exception via the function tt_sprintf().

slang2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068144)
http://lists.jedsoft.org/lists/slang-users/2023/0000003.html
Negligible security impact

coreutils 9.1-1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=9.1-1`
Fixed version	Not Fixed
EPSS Score	`0.018%`
EPSS Percentile	`3rd percentile`

Description

A flaw was found in GNU Coreutils. The sort utility's begfield() function is vulnerable to a heap buffer under-read. The program may access memory outside the allocated buffer if a user runs a crafted command using the traditional key format. A malicious input could lead to a crash or leak sensitive data.

coreutils (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1106733; unimportant)
https://bugzilla.redhat.com/show_bug.cgi?id=2368764
https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00036.html
https://lists.gnu.org/archive/html/bug-coreutils/2025-05/msg00040.html
https://cgit.git.savannah.gnu.org/cgit/coreutils.git/commit/?id=8c9602e3a145e9596dc1a63c6ed67865814b6633
https://www.openwall.com/lists/oss-security/2025/05/27/2
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=78507
Crash in CLI tool, no security impact

Affected range	`>=9.1-1`
Fixed version	Not Fixed
EPSS Score	`0.056%`
EPSS Percentile	`17th percentile`

Description

In GNU Coreutils through 8.29, chown-core.c in chown and chgrp does not prevent replacement of a plain file with a symlink during use of the POSIX "-R -L" options, which allows local users to modify the ownership of arbitrary files by leveraging a race condition.

coreutils (unimportant)
http://lists.gnu.org/archive/html/coreutils/2017-12/msg00045.html
https://www.openwall.com/lists/oss-security/2018/01/04/3
Documentation patches proposed:
https://lists.gnu.org/archive/html/coreutils/2017-12/msg00072.html
https://lists.gnu.org/archive/html/coreutils/2017-12/msg00073.html
Neutralised by kernel hardening

libxml2 2.9.14+dfsg-1.3~deb12u2 (deb)

pkg:deb/debian/[email protected]%2Bdfsg-1.3~deb12u2?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.9.14+dfsg-1.3~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.014%`
EPSS Percentile	`2nd percentile`

Description

A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all."

libxml2 (unimportant)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/958
https://gitlab.gnome.org/GNOME/libxml2/-/issues/958#note_2505853
Issue can only be triggered with untrusted SGML, negligible security impact

Affected range	`>=2.9.14+dfsg-1.3~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.018%`
EPSS Percentile	`3rd percentile`

Description

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

libxml2 2.12.7+dfsg+really2.9.14-2.1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107938; unimportant)
https://gitlab.gnome.org/GNOME/libxml2/-/issues/941
Crash in CLI tool, no security impact
Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/c340e419505cf4bf1d9ed7019a87cc00ec200434 (2.14)

expat 2.5.0-1+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.5.0-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.474%`
EPSS Percentile	`64th percentile`

Description

libexpat through 2.6.1 allows an XML Entity Expansion attack when there is isolated use of external parsers (created via XML_ExternalEntityParserCreate).

expat 2.6.1-2 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065868; unimportant)

libxmltok
[bookworm] - libxmltok (Minor issue, no runtime dependencies left)
[CVE-2024-28757] Prevent billion laughs attacks in isolated external parser (part of #839) libexpat/libexpat#842
OSS-Fuzz/ClusterFuzz finding 66812 libexpat/libexpat#839
Fixed by: libexpat/libexpat@1d50b80
Tests: libexpat/libexpat@072eca0
Expat provides API to mitigate expansion attacks, ultimately under control of the app using Expat
Cf. Billion laughs attack assessment for src:expat in CVE-2013-0340.

Affected range	`>=2.5.0-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.019%`
EPSS Percentile	`3rd percentile`

Description

libexpat through 2.5.0 allows recursive XML Entity Expansion if XML_DTD is undefined at compile time.

expat 2.6.0-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063240; unimportant)

libxmltok
[bookworm] - libxmltok (Minor issue, no runtime dependencies left)
[CVE-2023-52426] Fix issues for compilation with XML_DTD undefined libexpat/libexpat#777
libexpat/libexpat@0f075ec
[CVE-2023-52426] Fix issues for compilation with XML_DTD undefined libexpat/libexpat#777 (comment)
CVE is for fixing billion laughs attacks for users compiling without XML_DTD defined,
which is not the case for Debian.

lcms2 2.14-2 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.14-2`
Fixed version	Not Fixed
EPSS Score	`0.228%`
EPSS Percentile	`46th percentile`

Description

A heap buffer overflow vulnerability has been identified in thesmooth2() in cmsgamma.c in lcms2-2.16 which allows a remote attacker to cause a denial of service. NOTE: the Supplier disputes this because "this is not exploitable as this function is never called on normal color management, is there only as a helper for low-level programming and investigation."

lcms2 (unimportant)
Heap Buffer Overflow in smooth2() in cmsgamma.c mm2/Little-CMS#475
Fixed by: mm2/Little-CMS@ec399d6
Negligible security impact, affected fuction never called on normal color managment

Affected range	`>=2.14-2`
Fixed version	Not Fixed
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

A heap buffer overflow vulnerability has been identified in the lcms2-2.16. The vulnerability exists in the UnrollChunkyBytes function in cmspack.c, which is responsible for handling color space transformations.

mm2/Little-CMS#476
Not considered an issue in src:lcms2 but in the fuzzer

openssl 3.0.16-1~deb12u1 (deb)

pkg:deb/debian/[email protected]~deb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=3.0.16-1~deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.050%`
EPSS Percentile	`15th percentile`

Description

OpenSSL 3.0.0 through 3.3.2 on the PowerPC architecture is vulnerable to a Minerva attack, exploitable by measuring the time of signing of random messages using the EVP_DigestSign API, and then using the private key to extract the K value (nonce) from the signatures. Next, based on the bit size of the extracted nonce, one can compare the signing time of full-sized nonces to signatures that used smaller nonces, via statistical tests. There is a side-channel in the P-364 curve that allows private key extraction (also, there is a dependency between the bit size of K and the size of the side channel). NOTE: This CVE is disputed because the OpenSSL security policy explicitly notes that any side channels which require same physical system to be detected are outside of the threat model for the software. The timing signal is so small that it is infeasible to be detected without having the attacking process running on the same physical system.

openssl 3.5.0-1 (unimportant)
Minerva attack on power PC architecture openssl/openssl#24253
openssl/openssl@85cabd9 (master)
openssl/openssl@080c6be (openssl-3.5.0-beta1)
Minerva attack on power PC architecture openssl/openssl#24253 (comment)
Not considered a vulnerability by OpenSSL upstream

Affected range	`>=3.0.11-1~deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.109%`
EPSS Percentile	`30th percentile`

Description

OpenSSL 0.9.8i on the Gaisler Research LEON3 SoC on the Xilinx Virtex-II Pro FPGA uses a Fixed Width Exponentiation (FWE) algorithm for certain signature calculations, and does not verify the signature before providing it to a caller, which makes it easier for physically proximate attackers to determine the private key via a modified supply voltage for the microprocessor, related to a "fault-based attack."

http://www.eecs.umich.edu/~valeria/research/publications/DATE10RSA.pdf
openssl/openssl#24540
Fault injection based attacks are not within OpenSSLs threat model according
to the security policy: https://www.openssl.org/policies/general/security-policy.html

perl 5.36.0-7+deb12u2 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u2?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=5.36.0-7+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.448%`
EPSS Percentile	`63rd percentile`

Description

HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates.

libhttp-tiny-perl 0.088-1 (bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962407; unimportant)
[experimental] - perl 5.38.0~rc2-1

perl 5.38.2-2 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954089)
https://www.openwall.com/lists/oss-security/2023/04/18/14
verify_SSL being true by default (redux) chansen/p5-http-tiny#134
https://blog.hackeriet.no/perl-http-tiny-insecure-tls-default-affects-cpan-modules/
https://hackeriet.github.io/cpan-http-tiny-overview/
Applications need to explicitly opt in to enable verification.

Affected range	`>=5.36.0-7+deb12u2`
Fixed version	Not Fixed
EPSS Score	`0.161%`
EPSS Percentile	`38th percentile`

Description

_is_safe in the File::Temp module for Perl does not properly handle symlinks.

perl (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776268)
http://thread.gmane.org/gmane.comp.security.oss.general/6174/focus=6177
File:Temp::_is_safe() allows unsafe traversal of symlinks [rt.cpan.org #69106] Perl-Toolchain-Gang/File-Temp#14

libgcrypt20 1.10.1-3 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.10.1-3`
Fixed version	Not Fixed
EPSS Score	`0.266%`
EPSS Percentile	`50th percentile`

Description

A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

libgcrypt20 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065683)
https://bugzilla.redhat.com/show_bug.cgi?id=2268268
https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html
https://github.com/tomato42/marvin-toolkit/tree/master/example/libgcrypt
https://people.redhat.com/~hkario/marvin/
https://dev.gnupg.org/T7136
https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/17
Not in scope for libgcrypt security policy, work ongoing to add support in the protocol layer

Affected range	`>=1.10.1-3`
Fixed version	Not Fixed
EPSS Score	`1.266%`
EPSS Percentile	`79th percentile`

Description

cipher/elgamal.c in Libgcrypt through 1.8.2, when used to encrypt messages directly, improperly encodes plaintexts, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for Libgcrypt's ElGamal implementation.

libgcrypt20 (unimportant)

libgcrypt11 (unimportant)

gnupg1 (unimportant)

gnupg (unimportant)
https://github.com/weikengchen/attack-on-libgcrypt-elgamal
https://github.com/weikengchen/attack-on-libgcrypt-elgamal/wiki
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004394.html
GnuPG uses ElGamal in hybrid mode only.
This is not a vulnerability in libgcrypt, but in an application using
it in an insecure manner, see also
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-February/004401.html

libglvnd 1.6.0-1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.6.0-1`
Fixed version	Not Fixed
EPSS Score	`0.123%`
EPSS Percentile	`32nd percentile`

Description

libglxproto.c in OpenGL libglvnd bb06db5a was discovered to contain a segmentation violation via the function glXGetDrawableScreen(). NOTE: this is disputed because there are no common situations in which users require uninterrupted operation with an attacker-controller server.

libglvnd (unimportant)
https://gitlab.freedesktop.org/glvnd/libglvnd/-/issues/242
Negligible security impact

gnupg2 2.2.40-1.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.2.40-1.1`
Fixed version	Not Fixed
EPSS Score	`0.012%`
EPSS Percentile	`1st percentile`

Description

GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

gnupg2 (unimportant)
https://bugzilla.redhat.com/show_bug.cgi?id=2127010
https://dev.gnupg.org/D556
https://dev.gnupg.org/T5993
https://www.openwall.com/lists/oss-security/2022/07/04/8
GnuPG upstream is not implementing this change.

libpng1.6 1.6.39-2 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.6.39-2`
Fixed version	Not Fixed
EPSS Score	`0.056%`
EPSS Percentile	`17th percentile`

Description

A heap overflow flaw was found in libpngs' pngimage.c program. This flaw allows an attacker with local network access to pass a specially crafted PNG file to the pngimage utility, causing an application to crash, leading to a denial of service.

libpng1.6 (unimportant)
A potential heap overflow issue pnggroup/libpng#302
Crash in CLI package, not shipped in binary packages

jbigkit 2.1-6.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.1-6.1`
Fixed version	Not Fixed
EPSS Score	`0.354%`
EPSS Percentile	`57th percentile`

Description

In LibTIFF 4.0.8, there is a memory malloc failure in tif_jbig.c. A crafted TIFF document can lead to an abort resulting in a remote denial of service attack.

jbigkit (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=869708)
http://bugzilla.maptools.org/show_bug.cgi?id=2707
The CVE was assigned for src:tiff by MITRE, but the issue actually lies
in jbigkit itself.

libtheora 1.1.1+dfsg.1-16.1 (deb)

pkg:deb/debian/[email protected]%2Bdfsg.1-16.1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.1.1+dfsg.1-16.1`
Fixed version	Not Fixed
EPSS Score	`9.687%`
EPSS Percentile	`93rd percentile`

Description

oc_huff_tree_unpack in huffdec.c in libtheora in Theora through 1.0 7180717 has an invalid negative left shift. NOTE: this is disputed by third parties because there is no evidence of a security impact, e.g., an application would not crash.

libtheora 1.2.0~alpha1+dfsg-6 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1091633)
https://github.com/UnionTech-Software/libtheora-CVE-2024-56431-PoC
GHSA-8xp8-gmmj-xc8w
undefined shifts xiph/theora#18
https://gitlab.xiph.org/xiph/theora/-/merge_requests/28
Fixed by: https://gitlab.xiph.org/xiph/theora/-/commit/5665f86b8fd8345bb09469990e79221562ac204b (v1.2.0beta1)
No security impact

glib2.0 2.74.6-2+deb12u6 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u6?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.74.6-2+deb12u6`
Fixed version	Not Fixed
EPSS Score	`0.489%`
EPSS Percentile	`64th percentile`

Description

GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this issue may be disputed by the vendor; the existence of the g_str_hash function is not a vulnerability in the library, because callers of g_hash_table_new and g_hash_table_new_full can specify an arbitrary hash function that is appropriate for the application.

glib2.0 (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=655044)

libcaca 0.99.beta20-3 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=0.99.beta20-3`
Fixed version	Not Fixed
EPSS Score	`3.618%`
EPSS Percentile	`87th percentile`

Description

libcaca is affected by a Divide By Zero issue via img2txt, which allows a remote malicious user to cause a Denial of Service

libcaca (unimportant)
[BUG] Divide by zero in img2txt cacalabs/libcaca#65
Crash in CLI tool, no security impact

apt 2.6.1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.6.1`
Fixed version	Not Fixed
EPSS Score	`1.509%`
EPSS Percentile	`80th percentile`

Description

It was found that apt-key in apt, all versions, do not correctly validate gpg keys with the master keyring, leading to a potential man-in-the-middle attack.

apt (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=642480)
Not exploitable in Debian, since no keyring URI is defined

gcc-12 12.2.0-14+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=12.2.0-14+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.044%`
EPSS Percentile	`12th percentile`

Description

libiberty/rust-demangle.c in GNU GCC 11.2 allows stack consumption in demangle_const, as demonstrated by nm-new.

gcc-12 (unimportant)
Negligible security impact
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105039

libvpx 1.12.0-1+deb12u4 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u4?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.12.0-1+deb12u3`
Fixed version	Not Fixed
EPSS Score	`2.719%`
EPSS Percentile	`85th percentile`

Description

A remote denial of service vulnerability in libvpx in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High severity due to the possibility of remote denial of service. Product: Android. Versions: 4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2. Android ID: A-34360591.

libvpx (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871931)
https://android.googlesource.com/platform/external/libvpx/+/698796fc930baecf5c3fdebef17e73d5d9a58bcb
Debian builds configures with --size-limit=16384x16384, Android lowered
the limit to something more aligned for smart phones

pixman 0.42.2-1 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=0.42.2-1`
Fixed version	Not Fixed
EPSS Score	`0.029%`
EPSS Percentile	`6th percentile`

Description

stress-test master commit e4c878 was discovered to contain a FPE vulnerability via the component combine_inner at /pixman-combine-float.c.

pixman (unimportant)
https://gitlab.freedesktop.org/pixman/pixman/-/issues/76
Crash in test tool, no security impact

jpeg-xl 0.7.0-10+deb12u1 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=0.7.0-10`
Fixed version	Not Fixed
EPSS Score	`0.303%`
EPSS Percentile	`53rd percentile`

Description

libjxl v0.5.0 is affected by a Assertion failed issue in lib/jxl/image.cc jxl::PlaneBase::PlaneBase(). When encoding a malicous GIF file using cjxl, an attacker can trigger a denial of service.

jpeg-xl (unimportant)
Assertion failed in lib/jxl/image.cc jxl::PlaneBase::PlaneBase libjxl/libjxl#422
Special case of better handling of memory allocation failures libjxl/libjxl#762
Negligible security impact

x264 2:0.164.3095+gitbaee400-3 (deb)

pkg:deb/debian/x264@2%3A0.164.3095%2Bgitbaee400-3?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2:0.164.3095+gitbaee400-3`
Fixed version	Not Fixed
EPSS Score	`0.138%`
EPSS Percentile	`35th percentile`

Description

Insufficient tracking and releasing of allocated used memory in libx264 git master allows attackers to execute arbitrary code via creating a crafted AAC file.

x264 (unimportant)
Negligible security impact, usually only used for short-lived processes
https://code.videolan.org/videolan/x264/-/issues/75

shadow 1:4.13+dfsg1-1+deb12u1 (deb)

pkg:deb/debian/shadow@1%3A4.13%2Bdfsg1-1%2Bdeb12u1?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1:4.13+dfsg1-1+deb12u1`
Fixed version	Not Fixed
EPSS Score	`0.332%`
EPSS Percentile	`55th percentile`

Description

initscripts in rPath Linux 1 sets insecure permissions for the /var/log/btmp file, which allows local users to obtain sensitive information regarding authentication attempts. NOTE: because sshd detects the insecure permissions and does not log certain events, this also prevents sshd from logging failed authentication attempts by remote attackers.

shadow (unimportant)
See #290803, on Debian LOG_UNKFAIL_ENAB in login.defs is set to no so
unknown usernames are not recorded on login failures

util-linux 2.38.1-5+deb12u3 (deb)

pkg:deb/debian/[email protected]%2Bdeb12u3?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=2.38.1-5+deb12u3`
Fixed version	Not Fixed
EPSS Score	`0.025%`
EPSS Percentile	`5th percentile`

Description

A flaw was found in the util-linux chfn and chsh utilities when compiled with Readline support. The Readline library uses an "INPUTRC" environment variable to get a path to the library config file. When the library cannot parse the specified file, it prints an error message containing data from the file. This flaw allows an unprivileged user to read root-owned files, potentially leading to privilege escalation. This flaw affects util-linux versions prior to 2.37.4.

util-linux (unimportant)
https://bugzilla.redhat.com/show_bug.cgi?id=2053151
https://lore.kernel.org/util-linux/[email protected]/T/#u
util-linux/util-linux@faa5a3a
util-linux in Debian does build with readline support but chfn and chsh are provided
by src:shadow and util-linux is configured with --disable-chfn-chsh

cairo 1.16.0-7 (deb)

pkg:deb/debian/[email protected]?os_distro=bookworm&os_name=debian&os_version=12

# Dockerfile (32:37)
RUN groupadd app && \
    useradd -m -g app -s /bin/bash app && \
    apt-get update -qq && \
    apt-get install -qq -y --no-install-recommends espeak-ng ffmpeg && \
    apt-get clean -qq && \
    rm -rf /var/lib/apt/lists/*

Affected range	`>=1.16.0-7`
Fixed version	Not Fixed
EPSS Score	`0.507%`
EPSS Percentile	`65th percentile`

Description

cairo through 1.15.14 has an out-of-bounds stack-memory write during processing of a crafted document by WebKitGTK+ because of the interaction between cairo-rectangular-scan-converter.c (the generate and render_rows functions) and cairo-image-compositor.c (the _cairo_image_spans_and_zero function).

cairo (unimportant; bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916083)
https://gitlab.freedesktop.org/cairo/cairo/issues/341
Negligible security impact

renovate · 2025-08-17T17:21:45Z

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

sonarqubecloud · 2025-08-17T17:23:19Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

mergify · 2025-08-17T17:27:40Z

Hi @renovate[bot], Your PR is in conflict and cannot be merged.

renovate · 2025-08-17T17:28:12Z

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

renovate bot changed the title ~~Pin jlumbroso/free-disk-space action to 54081f1~~ Pin jlumbroso/free-disk-space action to 54081f1 - autoclosed Aug 14, 2025

renovate bot closed this Aug 14, 2025

renovate bot deleted the renovate/pin-dependencies branch August 14, 2025 19:41

renovate bot changed the title ~~Pin jlumbroso/free-disk-space action to 54081f1 - autoclosed~~ Pin jlumbroso/free-disk-space action to 54081f1 Aug 17, 2025

renovate bot reopened this Aug 17, 2025

renovate bot changed the title ~~Pin jlumbroso/free-disk-space action to 54081f1~~ Pin github/codeql-action action to df55935 Aug 17, 2025

renovate bot force-pushed the renovate/pin-dependencies branch from 845a999 to 0687aca Compare August 17, 2025 01:30

Pin github/codeql-action action to df55935

771483f

renovate bot force-pushed the renovate/pin-dependencies branch from 0687aca to 771483f Compare August 17, 2025 01:32

renovate bot temporarily deployed to code_quality August 17, 2025 01:32 Inactive

renovate bot temporarily deployed to code_quality August 17, 2025 01:33 Inactive

renovate bot had a problem deploying to docker_image August 17, 2025 01:33 Failure

renovate bot had a problem deploying to code_quality August 17, 2025 01:33 Failure

renovate bot had a problem deploying to api_test August 17, 2025 01:37 Failure

renovate bot temporarily deployed to docker_image August 17, 2025 01:37 Inactive

renovate bot temporarily deployed to docker_image August 17, 2025 01:38 Inactive

Merge branch 'main' into renovate/pin-dependencies

126d365

mergify bot temporarily deployed to code_quality August 17, 2025 13:42 Inactive

mergify bot temporarily deployed to docker_image August 17, 2025 13:50 Inactive

mergify bot temporarily deployed to docker_image August 17, 2025 13:54 Inactive

Merge branch 'main' into renovate/pin-dependencies

4139bd4

mergify bot temporarily deployed to code_quality August 17, 2025 17:19 Inactive

mergify bot temporarily deployed to code_quality August 17, 2025 17:20 Inactive

mergify bot had a problem deploying to docker_image August 17, 2025 17:20 Error

mergify bot had a problem deploying to code_quality August 17, 2025 17:20 Failure

Merge branch 'main' into renovate/pin-dependencies

d745b66

mergify bot temporarily deployed to code_quality August 17, 2025 17:23 Inactive

mergify bot had a problem deploying to docker_image August 17, 2025 17:24 Failure

mergify bot had a problem deploying to code_quality August 17, 2025 17:24 Failure

mergify bot temporarily deployed to docker_image August 17, 2025 17:24 Inactive

mergify bot had a problem deploying to api_test August 17, 2025 17:24 Failure

mergify bot temporarily deployed to docker_image August 17, 2025 17:24 Inactive

mergify bot temporarily deployed to docker_image August 17, 2025 17:25 Inactive

renovate bot changed the title ~~Pin github/codeql-action action to df55935~~ Pin github/codeql-action action to df55935 - abandoned Aug 17, 2025

MH0386 closed this Aug 19, 2025

Pin github/codeql-action action to df55935 - abandoned #162

Pin github/codeql-action action to df55935 - abandoned #162

Uh oh!

Conversation

renovate bot commented Jul 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Configuration

Uh oh!

gitnotebooks bot commented Jul 6, 2025

Uh oh!

sourcery-ai bot commented Jul 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

coderabbitai bot commented Jul 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Chat

Support

CodeRabbit Commands (Invoked using PR/Issue comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Status, Documentation and Community

Uh oh!

deepsource-io bot commented Jul 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Analysis Summary

Uh oh!

sonarqubecloud bot commented Jul 6, 2025

Quality Gate passed

Uh oh!

github-actions bot commented Jul 6, 2025

Qodana for Python

Uh oh!

mergify bot commented Aug 17, 2025

Uh oh!

mergify bot commented Aug 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🧪 CI Insights

❌ Failed Jobs

Uh oh!

MH0386 commented Aug 17, 2025

Recommended fixes for image ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162

Refresh base image

Change base image

Uh oh!

MH0386 commented Aug 17, 2025

Uh oh!

MH0386 commented Aug 17, 2025

🔍 Vulnerabilities of ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162

Description

Background knowledge

Credit

Summary

Details

Risk Assessment

Impact

References

Summary

Severity

Proof of Concept

Remediation and Mitigation

Summary

Severity & Impact

Proof of Concept

Mitigation / Patching

Affected usages

Remediation

Affected usages

Remediation

Affected usages

Impact

Remediation

Affected usages

Remediation

Summary

renovate bot commented Jul 6, 2025 •

edited

Loading

sourcery-ai bot commented Jul 6, 2025 •

edited

Loading

coderabbitai bot commented Jul 6, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)

deepsource-io bot commented Jul 6, 2025 •

edited

Loading

mergify bot commented Aug 17, 2025 •

edited

Loading

Recommended fixes for image `ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162`

🔍 Vulnerabilities of `ghcr.io/alphaspheredotai/visualizr:d9d4962-pr-162`